[Cryptography] Crypto best practices
Hanno Böck
hanno at hboeck.de
Fri Mar 10 09:49:39 EST 2017
On Fri, 10 Mar 2017 08:44:21 -0500
Arnold Reinhold <agr at me.com> wrote:
> On Wed, 8 Mar 2017 00:34:44 +0100 Hanno Böck wrote:
>
> >
> >> This looks like some very valuable advice:
> >> https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic%20Requirements%20v1.1%20TOP%20SECRET.pdf
> >> <https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic%20Requirements%20v1.1%20TOP%20SECRET.pdf>…
> ...
> >>> Confidentiality must be provided by AES with a minimum key size of
> >>> 256 bits. The cipher must be operated in Galois/Counter Mode
> >>> (GCM), Counter Mode (CTR), or Cipher Block Chaining Mode
> >>> (CBC).
> >
> > That's already bad advice. Use an AEAD, always. From the mentioned
> > ones only [GCM (per Hanno’s correction)] is an AEAD.
>
> They do say elsewhere: "Authentication must be provided using HMAC,
> asymmetric cryptography, or by operating the chosen block cipher in
> Gaolis/Counter Mode (GCM).”
This is horrible advice nobody should follow. Using both HMAC and
asymmetric cryptography has led to a pletora of vulnerabilities in the
past. It can be done right, but it is full of pitfalls. With HMAC you
have to consider the order of encryption and MAC-ing, with signatures
there are very subtle bugs that can and do happen easily (see XML
signature wrapping attacks or the recent imessage vulnerability).
Just use authenticated encryption with an AEAD. Don't try to do anything
that you think is like an AEAD. It most likely is not.
--
Hanno Böck
https://hboeck.de/
mail/jabber: hanno at hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
More information about the cryptography
mailing list